search

spdx / Spdx-Java-Library

Java library which implements the Java object model for SPDX and provides useful helper functions
Apache License 2.0
32 stars 33 forks source link

tools-java should issue an error for absolute FileName #195

Closed vargenau closed 9 months ago

vargenau commented 9 months ago

Anchore Syft tool generates the following SPDX (tag:value):

FileName: /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
SPDXID: SPDXRef-File-...Actalis-Authentication-Root-CA.crt-b2e28e6876228bbb
FileType: TEXT
FileChecksum: SHA1: 511ca95607022a99ed8e68bd63f136c4854cefcb
LicenseConcluded: NOASSERTION
FileComment: layerID: sha256:3f946b95045046b182ad195bfdb24fe56dd6ea12d34e35a0995218d22c05102a

tools-python complains that it is invalid SPDX.

file name must not be an absolute path starting with "/", but is: /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt

tools-java says that the SPDX file is valid

The SPDX spec says: "A relative filename".

So I would expect tools-java to mark the file as invalid.

goneall commented 9 months ago

I agree - the validation for the SPDX file path name is in the SPDX Java Library - so I'm transferring the issue there.

goneall commented 9 months ago

PR #196 explicitly checks for "./". Now that I think about this, perhaps it should only disallow absolute file paths - those starting with "/".

@vargenau - what do you think?

vargenau commented 9 months ago

Yes, I would only forbid absolute paths, those starting with "/".

The spec says "In general, every filename is preceded with a ./", so this seem to be a recommendation, not something mandatory.

I will ask the opinion of the community in the tech mailing list.

vargenau commented 9 months ago

It seems the community agrees that only paths starting with "/" should be rejected. Paths are not required to start with "./".

goneall commented 9 months ago

Thanks @vargenau for checking on this - I've updated the PR to only reject the absolute paths.